test: tighten security audit finding assertions

src/security/audit-gateway-http-auth.test.ts

@@ -5,7 +5,10 @@ import {
   collectGatewayHttpSessionKeyOverrideFindings,
 } from "./audit-extra.sync.js";
 
-function requireFinding(findings: Array<{ checkId: string; detail: string }>, checkId: string) {
+function requireFinding(
+  findings: Array<{ checkId: string; detail: string; severity?: string }>,
+  checkId: string,
+) {
   const finding = findings.find((entry) => entry.checkId === checkId);
   if (!finding) {
     throw new Error(`Expected ${checkId} finding`);
@@ -81,9 +84,9 @@ describe("security audit gateway HTTP auth findings", () => {
     ];
 
     if (expectedFinding) {
-      expect(findings).toEqual(expect.arrayContaining([expect.objectContaining(expectedFinding)]));
+      const finding = requireFinding(findings, expectedFinding.checkId);
+      expect(finding.severity).toBe(expectedFinding.severity);
       if (detailIncludes) {
-        const finding = requireFinding(findings, expectedFinding.checkId);
         for (const text of detailIncludes) {
           expect(finding.detail, `${expectedFinding.checkId}:${text}`).toContain(text);
         }

src/security/audit-summary.test.ts

@@ -6,12 +6,11 @@ function requireAttackSurfaceSummary(
   findings: ReturnType<typeof collectAttackSurfaceSummaryFindings>,
 ) {
   const summary = findings.find((f) => f.checkId === "summary.attack_surface");
-  expect(summary).toEqual(
-    expect.objectContaining({ checkId: "summary.attack_surface", severity: "info" }),
-  );
   if (!summary) {
     throw new Error("Expected attack surface summary finding");
   }
+  expect(summary.checkId).toBe("summary.attack_surface");
+  expect(summary.severity).toBe("info");
   return summary;
 }